CMMC-AB May Town Hall: Key Takeaways

May’s CMMC-AB Town Hall marked the end of an era.

There will be no more CMMC-AB Town Halls discussing what the accreditation body is doing to prepare the ecosystem of consultants, educators and assessors for the upcoming final CMMC rule. That’s because, in May’s Town Hall, the CMMC-AB announced their rebranding to The Cyber AB.

If you missed the event and you’re following along, this is what you need to know:

  1. The CMMC-AB is now doing business as The Cyber AB.

  2. They updated their logo and associated badges.

  3. They updated their website and marketplace.

  4. 5 New CMMC 3rd Party Assessor Organizations received accreditation.

  5. There is a new advanced Registered Practitioner designation coming in July

A few weeks after The Cyber AB Town Hall, PreVeil hosted Countdown to Compliance: Expect CMMC by May 2023 with special guests DoD Deputy CIO David McKeown and Director of CMMC Stacy Bostjanick. 

Since our Town Hall blogs summarize the latest news from the leading CMMC authorities, here were our key takeaways from this presentation:

  1. Only controls with a value of 1 point are allowable on a POA&M during certification.

  2. Don't hold your breath on receiving a waiver unless you're in a brand new industry.

  3. The bifurcated group of Level 2 certifications that can self-attest is very small.

  4. Implementation of CMMC requirements will look more like a  phased rollout.

  5. Consider voluntary assessments high assurance today and valid for 3-4 years.

  6. Level 3 will consist of 24 of about 35 controls listed in NIST SP 800-172.

  7. Projected timelines for Interim Rule or Final Rule.

Let’s assess this month’s updates.

Table of Contents

Introducing The Cyber AB

The May 2022 Town Hall happend on June 7th, 2022 since the last Tuesday in May fell the day after the Memorial Day holiday. News broke the day before that the Accreditation Body was now doing business as The Cyber AB.

Part of the explanation was to distance themselves from any confusion that they are an official part of the federal government. The Cyber AB has always been a 501(c) tax-exempt organization that holds a no-cost, sole-source contract with the US Department of Defense to oversee the CMMC ecosystem.

Looking forward, the rebrand should provide more flexibility to expand its services to other agencies within the US Government and other countries that may not use the Cybersecurity Maturity Model Certification (CMMC) name.

New Logos and Badges

Aside from the name changing, you’ll notice a new logo for both The Cyber AB as well as the badges held by participants in their ecosystem. This new logo The Cyber AB helps separate from the official DoD CMMC logo for the program.

The individuals providing services have had a rebranding of their badges as well.

Website Updates

CEO Matthew Travis gave us a sneak peek at some of the integrated technology utilized by the new Cyber AB website - https://cyberab.org/. The old landing page cmmcab.org will redirect you to the new site.

The Marketplace was one area The Cyber AB focused on improving. In the original marketplace, it wasn’t easy to filter and find consultants, assessors, or training providers by state. The new marketplace is a work in progress.

Currently, the site takes a long time to load when you first visit. Matthew Travis had to abort a live demo during the Town Hall given the lag time loading.

The Cyber AB acknowledged that they were not able to convert pictures from the old marketplace to the new. They expect participating individuals and organizations to update their pictures. They also requested members input data into new fields (years in business, state and scope of services) to enable better searches.

There is now a CMMC News section, a larger catalog of previous Town Hall videos, upcoming and featured Webinars & Public Events, a listing of Press Releases, and a Discussion & Idea page that they’re still working to set up.

We’ll say the launch went better than Dunder Mifflin Infinity but we’re pretty sure they didn’t hire American Eagle.

5 New CMMC 3rd Party Assessor Organizations

Since the April Town Hall, The Cyber AB authorized five new CMMC 3rd Party Assessor Organizations (C3PAO). They have also changed the “C” in C3PAO to stand for CMMC and not Certified, something that they have yet to update on their new website.

Register Practitioner Advanced

At the June Town Hall, The Cyber AB has hinted at rolling out a new category of consultants, Registered Practitioner Advanced. Visiting the Consulting and Implementation part of their new website, we found this new position listed below the currently registered practitioner designation.

Source: The Cyber AB

According to Kyle Ginrich, Vice President of Training and Development at The Cyber AB, the initial training provided under the Registered Practitioner course aligns with Level 1. Consultants that want to be better prepared to consult with clients certifying at Level 2 should consider taking the Registered Practitioner Advanced (RPA) course.

An alternative path already exists down the assessor route. Granted, an individual would have to take a Certified CMMC Professional training course at the expense of $2,000 to $4,000, but the annual renewal cost is $750 less per year.

Source: The Cyber AB

Let’s pivot to some of the updates from DoD on June 24th at the PreVeil webinar, DoD Countdown to Compliance.

Source: Preveil The DoD’s Countdown to Compliance

Allowable POA&M

Stacy expects publication of the CMMC Assessment Process (CAP) document by the end of August. It will contain a policy regarding the Plans of Action and Milestones (POA&Ms). 

She anticipates that the policy will state any control from NIST SP 800-171 with a score value of 1 point is permissible on a POA&M.

Innovation Waivers

On the subject of waivers, Stacy indicated that only very high levels within DoD would approve their use. Their existence allows DoD to make exceptions for industries so new that they may not have been able to put in place the NIST SP 800-171 controls yet.

The majority of companies should not expect to receive a waiver. Stacy and David reminded the audience that NIST SP 800-171 requirements have been around since the start of 2018.

The Bifurcated Few

The DoD is still planning on bifurcating Level 2. This means one group will have a third-party assessment while another can continue to self-assess.

Stacy indicated that most companies take part in more than one contract. She also noted that most contracts will involve a certification assessment for Level 2.

Therefore, they expect the number of self-attested Level 2 certifications to be very small. There was no indication of the risk equation that the DoD will use to determine the bifurcation of prioritized acquisitions. 

Phased Implementation

Several articles came out last month that indicated DoD was considering a phased implementation plan.

Stacy confirmed those reports, acknowledging the capacity of the ecosystem was a limiting factor. Stacy stopped short of providing details of the rollout plan so we’ll have to wait for the interim or final ruling.

Voluntary Assessments

It sounds like DoD has hashed out some of the incentives around conducting voluntary assessments.

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will take part alongside C3PAOs. Organizations that pass the Level 2 assessment will receive credit for a high assurance DIBCAC assessment.

Post rule-making, those who passed under the voluntary program will receive a certification valid for three years.

24 Level 3 Controls

All we have known about Level 3 is that it would involve the tailoring of NIST SP 800-172.

In a slide labeled CMMC Update, DoD indicated that they have selected 24 out of the 35 controls as the enhanced requirements for Level 3. Neither official commented on the 24 controls selected but in a previous blog, we noted that 15 map back to Levels 4 and 5 from CMMC 1.0.

Source: Preveil The DoD’s Countdown to Compliance

Interim or Final Rule Timing

In our last blog, we talked about the difference between an interim rule and a final rule.

Stacy stuck to the timeline we heard last month. If the Office of Management awards DoD an Interim Rule, then rule-making could come as early as March 2023. There would be a sixty-day waiting period until solicitations contained these new terms.

If DoD does not receive an Interim Rule from OMB, the process to get a Final Rule may take an extra year. This would push the rulemaking process out to the first half of 2024.

Conclusion

There is a sense of frustration evident behind the measured approach that DoD is taking with CMMC. When asked what companies should be doing today, David said NIST SP 800-171.

Stacy reiterated “we’re not doing this to be onerous, we recognize the threat of leaked information is putting warfighters at risk”.

The goal of NIST SP 800-171 is to protect the confidentiality of controlled unclassified information (CUI). DoD doesn't want this information falling into the hands of our adversaries.

Over the past 20 years, China has leapfrogged decades of research and development by stealing this information. Our inability to protect CUI has put our adversaries on peer footing, creating new threats.

DoD now has to consider that an adversary would deny our ability to access information and systems critical to national security. David alluded that DoD is now looking outside of NIST SP 800-171 to incorporate protections that would guard against this threat. He mentioned the NIST Cybersecurity Framework as a mechanism they were evaluating.

CMMC 1.0 and 2.0 hinder our adversaries’ ability to weaponize our information against us.

CMMC 3.0 may expand upon this foundation to also protect against adversaries seeking to deny our ability to access our information. The former infers there is a competitive advantage to maintain. The latter would imply we are closer to a confrontation with a peer adversary.